Dos Angriff auf DNS

23/02/2009 - 15:00 von Frank Kirschner | Report spam
Hallo,
seit heute Nacht log ich bei den DNS Anfragen leere queries (ca. 4000
per seconds)

23-Feb-2009 13:20:15.516 queries: info: client 10.48.0.19#2048: query:
\(none\) IN A +
23-Feb-2009 13:20:15.518 queries: info: client 10.48.0.19#2048: query:
\(none\) IN A +
23-Feb-2009 13:20:15.519 queries: info: client 10.48.0.19#2048: query:
\(none\) IN A +
23-Feb-2009 13:20:15.523 queries: info: client 10.48.0.19#2048: query:
\(none\) IN A +
23-Feb-2009 13:20:15.524 queries: info: client 10.48.0.19#2048: query:
\(none\) IN A +
23-Feb-2009 13:20:15.525 queries: info: client 10.48.0.19#2048: query:
\(none\) IN A +
23-Feb-2009 13:20:15.527 queries: info: client 10.48.0.19#2048: query:
\(none\) IN A +
23-Feb-2009 13:20:15.531 queries: info: client 10.48.0.19#2048: query:
\(none\) IN A +
23-Feb-2009 13:20:15.533 queries: info: client 10.48.0.19#2048: query:
\(none\) IN A +


Dann kommen auch noch diese, (ebenfalls ca. 4000 per seconds):

23-Feb-2009 14:05:56.464 queries: info: client 10.48.0.19#2048: query:
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.470 queries: info: client 10.48.0.19#2048: query:
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.483 queries: info: client 10.48.0.19#2048: query:
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.489 queries: info: client 10.48.0.19#2048: query:
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.500 queries: info: client 10.48.0.19#2048: query:
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.508 queries: info: client 10.48.0.19#2048: query:
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.517 queries: info: client 10.48.0.19#2048: query:
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.521 queries: info: client 10.48.0.19#2048: query:
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.533 queries: info: client 10.48.0.19#2048: query:
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.539 queries: info: client 10.48.0.19#2048: query:
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.546 queries: info: client 10.48.0.19#2048: query:
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.558 queries: info: client 10.48.0.19#2048: query:
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.565 queries: info: client 10.48.0.19#2048: query:
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.572 queries: info: client 10.48.0.19#2048: query:
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.584 queries: info: client 10.48.0.19#2048: query:
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.591 queries: info: client 10.48.0.19#2048: query:
luca.inetgate.net IN A +

Was kann dafür der Grund sein? Trojaner / Virus um ein DoS der DNS zu
erreichen, um den DNS Cache zu vergiften? Bind làuft in der aktuellen
Version 9.4.3-P1. Eine Möglichkeit wàre per netfilter die Anfragen zu
limitieren oder reagiere ich damit zu überzogen?

best regards
Frank
 

Lesen sie die antworten

#1 Holger Marzen
23/02/2009 - 15:05 | Warnen spam
* On Mon, 23 Feb 2009 15:00:21 +0100, Frank Kirschner wrote:

Hallo,
seit heute Nacht log ich bei den DNS Anfragen leere queries (ca. 4000
per seconds)

23-Feb-2009 13:20:15.516 queries: info: client 10.48.0.19#2048: query:
\(none\) IN A +
23-Feb-2009 13:20:15.518 queries: info: client 10.48.0.19#2048: query:
\(none\) IN A +
23-Feb-2009 13:20:15.519 queries: info: client 10.48.0.19#2048: query:
\(none\) IN A +
23-Feb-2009 13:20:15.523 queries: info: client 10.48.0.19#2048: query:
\(none\) IN A +
23-Feb-2009 13:20:15.524 queries: info: client 10.48.0.19#2048: query:
\(none\) IN A +
23-Feb-2009 13:20:15.525 queries: info: client 10.48.0.19#2048: query:
\(none\) IN A +
23-Feb-2009 13:20:15.527 queries: info: client 10.48.0.19#2048: query:
\(none\) IN A +
23-Feb-2009 13:20:15.531 queries: info: client 10.48.0.19#2048: query:
\(none\) IN A +
23-Feb-2009 13:20:15.533 queries: info: client 10.48.0.19#2048: query:
\(none\) IN A +



Hàngt deine Maschine am Internet und kriegt Pakete mit einer 10er
Absenderadresse? Dann würde ich einfach Spoofing verbieten, entweder mit
einer Kernelfunktion (Linux) oder mit Paketfilterregeln.

Ähnliche fragen